High computing capacity is achieved by connecting a few servers with the same or different functionality together to form a server farm. Applications running on these servers need to transfer data to one another. A server farm environment is generally built from servers having different levels of security. In such an environment, the secure servers must protect themselves from attacks originating at the servers having less security.
One of the methods to protect sensitive servers from attacks from less trusted servers is the use of application level firewalls. Application level firewalls generally are hosts running proxy servers, which do not permit direct traffic between segments of the networks, and which perform elaborate logging and auditing of data traffic passing through them. The proxy applications are software components running on the firewall and emulating the real target application. Having a proxy application in the way negatively impacts the performance of the server farm as a whole. It also makes the firewall less transparent, causing compatibility problems.
Since firewalls are a separate unit between segments of the network, and since they contain complex logic, they generate a substantial delay in the application-to-application communications. The more complex and high-level the filtering, the greater the delay. Furthermore, firewalls may cause a communication bottleneck and may add a point of failure between the applications. Moreover, a server farm may have a complex topology with redundant links and parallel configurations. In order to maintain the level of security for such a topology, a new firewall may be added for each new segment that may be created.
Moreover, high-level filtering is almost impossible if the protocol is complex or undocumented, because the network layers under the layer to be inspected need to be emulated. Therefore, application-level filtering is currently performed only on well-documented protocols in environments that are less performance-sensitive. Examples of such well-documented protocols include e-mail protocols, file transfer protocol (FTP) and hypertext transfer protocol (HTTP). Examples of protocols on which high-level filtering is not performed include database transactions, network file system (NFS) transactions and remote procedure call (RPC) transactions.
Currently application-to-application communication over a network involves several layers of protocol, for example the seven layers of the open systems interconnection (OSI) model. Among their many functions, these layers may enable error handling, rearranging packets that arrive in the wrong order, and multiplexing of data from different applications.
In the near future, application-to-application communication may take place over an efficient network having multi-channel communication hardware with communication protocols mostly implemented in hardware. Non-limiting examples of such network include new system area network (SAN), InfiniBand network, Fiber-Channel network and asynchronous transfer mode (ATM) network. Within these networks, it may be almost impossible and generally impractical to provide firewalls able to support the bandwidth and topology of these architectures. It would be advantageous to provide a new efficient method to filter application-to-application traffic.
It will be appreciated that for simplicity and clarity of illustration, elements shown in the figures have not necessarily been drawn to scale. For example, the dimensions of some of the elements may be exaggerated relative to other elements for clarity. Further, where considered appropriate, reference numerals may be repeated among the figures to indicate corresponding or analogous elements.